1 / 16

Preventing Denial of Service Attacks

Preventing Denial of Service Attacks. Source Paper: Detecting and Preventing IP-spoofed Distributed DoS Attacks Authors:Yao Chen, Shantanu Das,Pulak Dhar , Abdulmotaleb El Saddik,and Amiya Nayak by N.V.Krishna Rao (08033D0501) Under Supervision and Guidance of

aggie
Download Presentation

Preventing Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Preventing Denial of Service Attacks Source Paper: Detecting and Preventing IP-spoofed Distributed DoS Attacks Authors:Yao Chen, ShantanuDas,PulakDhar, Abdulmotaleb El Saddik,andAmiyaNayak by N.V.KrishnaRao (08033D0501) Under Supervision and Guidance of Dr. DurgaBhavaniS.V.S.HanumanthaRao (Internal Guide) (External Guide)

  2. Preventing Denial of Service Attacks DoS Attacks: The denial-of-service(DoS) attacks whose sole purpose is to reduce or eliminate the availability of a service provided over the Internet, to its legitimate users. This is achieved either by exploiting the vulnerabilities in the software, network protocols, or operation systems, or by exhausting the consumable resources such as the bandwidth, computational time and memory of the victim. The first kind of attacks can be avoided by patching-up vulnerable software and updating the host systems from time to time. The second kind of DoS attacks are much more difficult to defend. This works by sending a large number of packets to the target, so that some critical resources of the victim are exhausted and the victim can no longer communicate with other users. IP Spoofing : A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. A hacker uses a variety of techniques in IP Spoofing, to find an IP address of a trusted host and then modify the packet headers so that it appears to victim that the packets are coming from that trusted host.

  3. Approaches for Defending DoS Attacks Preventive Source Tracking Reactive Defense Solutions Proactive Server Roaming Scheme Packet Marking Schemes Path Identifier scheme (Pi) Probabilistic Packet Marking(PPM) Pushback method Deterministic Marking Approach(DPM) D-WARD Message Traceback Method Packet Score Logging Neighbor Stranger- Traffic Observation Method Discrimination (NSD)

  4. Preventive Defense: The preventive schemes aim at improving the security level of a computer system or network; thus preventing the attacks from happening, or enhancing the resistance to attacks. Such solutions are generally costly and difficult to really prevent attacks Proactive Server Roaming Scheme: A Proactive Server Roaming Scheme belongs to this category. This system is composed of several distributed homogeneous servers and the location of active server changes among them using a secure roaming algorithm. Only the legitimate users will know the server’s roaming time and the address of new server. All connections are dropped when the server roams, so that the legitimate users can get services at least in the beginning of each roaming epoch before the attacker finds the active server out again.

  5. Source Tracking: • The source-tracking schemes aim to track-down the sources of attacks, so that punitive action can be taken against them and further attacks can be avoided. • A common problem existing in these solutions is that the reconstruction of attack path becomes quite complex and expensive when there are a large number of attackers. These types of solutions are designed to take corrective action after an attack has happened and cannot be used to stop an ongoing DoS attack. Packet Marking Schemes: • Probabilistic packet marking (PPM), in which the routers insert path information into the Identification field of IP header in each packet with certain probability, such that the victim can reconstruct the attack path using these markings and thus track down the sources of offending packets. • Deterministic Marking Approach (DPM), in which only the address of the first ingress interface a packet enters instead of the full path the packet passes (as used in PPM) is encoded into the packet.

  6. Message Traceback Method: In the message tracebackmethod,routers generate ICMP traceback messages for some of received packets and send with them. By combining the ICMP packets with their TTL differences,the attack path can be determined.Some factors are considered to evaluate the value of an ICMP message, such as how far is the router to the destination ,how quick the packet is received after the beginning of attack, and whether the destination wishes to receive it. Logging: Logging is to record packet information at routers. The path to the attacker can be determined by the routers exchanging information with each other. Traffic-Observation Method: The Traffic-Observation method is to determine the attack path by observing the rate change of attack traffic. During an attack, basing on the knowledge of the Internet topology, the victim floods an incoming link with excessively large numbers of packets, so that the attack traffic will be reduced if it comes from this link. By performing the link test recursively, the attacker can be finally found out.

  7. Reactive Solutions: The Reactive measures for DoS defense are designed to detect an ongoing attack and react to it by controlling the flow of attack packets to mitigate the effects of the attack. The success of the reactive schemes depends on a precise differentiation between good and attack packets (containing spoofed source addresses) and must ensure that packets from legitimate users are should not dropped. Path Identifier Scheme (PI): This scheme uses the idea of packet marking for filtering out the attack packets instead of trying to find the source of such packets. This scheme uses a path identifier (Pi) to mark the packets; the Pi field in the packet is separated into several sections and each router inserts its marking to one of these. Once the victim has known the marking corresponding to attack packets, it can filter out all such packets coming through the same path. Pushback method: The Pushback method generates an attack signature after detecting a congestion, and applies a rate limit on corresponding incoming traffic. This information is then propagated to upstream routers, and the routers help to drop such packets, so that the attack flow can be pushed back.

  8. D-WARD : D-WARD is designed to be deployed at the source network. It monitors the traffic between the internal network and outside and looks for the communication difficulties by comparing with predefined normal models. A rate limit will be imposed on any suspicious outgoing flow according to its offensive. PacketScore scheme: A PacketScore scheme estimates the legitimacy of packets and computes scores for them by comparing their attributes with the normal traffic. Packets are filtered at attack time basing on the score distribution and congestion level of the victim. Neighbor Stranger Discrimination (NSD): In the Neighbor Stranger Discrimination (NSD) approach, NSD routers perform signing and filtering functions besides routing. It divides the whole network into neighbors and strangers. If the packets from a network reach the NSD router directly without passing through other NSD routers, this network is a neighbor network .Two NSD routers are neighbor routers to each other if the packets sending between them do not transit other NSD routers. Therefore, a packet received by an NSD router must either from a neighbor networks, or from a neighbor router. Each NSD router keeps an IP addresses list of its neighbor networks and a signatures list of its neighbor routers. If a packet satisfies neither of the two conditions, it is looked as illegitimate and dropped.

  9. Designing an Effective Protection Scheme: • The scheme should be able to control or stop the flow of attack packets before it can overwhelm the victim. The timely detection and immediate reaction to an attack is essential, to prevent the depletion of resources at the victim location. The suitable place to deploy defense scheme are the perimeter routers or the firewall of a network. • In stopping the flow of attack packets (containing spoofed source addresses) to the victim, the scheme must ensure that packets from legitimate users are successfully received so that the service to the legitimate users is not denied or degraded. Any degradation in service would signify a partial success for the denial of service attack.

  10. Project Proposal (MDAF Scheme): This Project explores mechanisms for defending against Denial of Service attacks (Dos), have become one of the major threats to the operation of the Internet today. It proposes a scheme for detecting and preventing the most harmful and difficult to detect DoS Attacks those that use IP address spoofing to disguise the attack flow. The scheme is based on a firewall that can distinguish the attack packets(containing spoofed source addresses) from the packets sent by legitimate users, and thus filters out most of the attack packets before they reach the victim. The scheme allows the firewall system to configure itself based on the normal traffic of a Web server, so that the occurrence of an attack can be quickly and precisely detected. The MDAF scheme employs a firewall at each of the perimeter routers of the network to be protected and the firewall scans the marking field of all incoming packets to selectively filter-out the attack packets. On employing this marking scheme, when a packet arrives at its destination, its marking depends only on the path it has traversed. If the source IP address of a packet is spoofed, this packet must have a marking that is different from that of a genuine packet coming from the same address. The spoofed packets can thus be easily identified and dropped by the filter, while the legitimate packets containing the correct markings are accepted.

  11. Marking Scheme: Computing the Packet Marking: The mark made by a router would be a function of its IP address. To fit the 32-bit IP address A of a router into the ID field, we employ a hash function h that converts A to a 16-bit value. We adopt the CRC-16 hash function which is easy to compute and has low collision rate. Since attackers can easily know the routers’ IP addresses, they can spoof the marking on a packet if they know the hash function used by each router. We cannot expect every router in the Internet to participate in the marking scheme and mark all packets passing through it. If a packet with such a spoofed marking passes through a route where there are no co-operating routers, this packet is impossible to be identified as an attack packet. To avoid such spoofing of the marking, each router R uses a 16-bit key KR (which is a random number chosen by the router) when computing its marking. The marking for a router R is calculated as MR = h(A) XOR KR, where A is the IP address of the router. After receiving a packet the router computes the marking M = MR XOR Mold, if an old marking Mold exists in that packet, and replaces Mold with M.

  12. Inserting Order Information: One possible drawback with the scheme mentioned above is that the marking on a packet depends only on the routers it passes through, but not on the order passing them. This means that the packets which pass the same routers on two different paths have the same marking.To make the marking scheme more effective, we let each router perform a Cyclic Shift Left(CSL) operation on the old marking Mold and compute the new marking as M = CSL(Mold) XOR MR. In this way, the order of routers influences the final marking on a packet received by the Firewall.

  13. Filtering Scheme: Complete Filtering Scheme: 1) If the (IP-address, Marking) pair is same with one of the records in the Filter Table, the packet is received. 2) If the source IP address of the packet exists in theFilter Table, but the marking does not match, this packet is considered to be a spoofed packet and is dropped. TMC is incremented. 3) If the source IP address does not appear in the Filter Table, then this packet is accepted with a probability p. TMC is incremented. 4) If the TMC value exceeds the threshold, an attack is signaled. 5) All echo reply messages that are received as responses to the firewall’s requests are handled by the Check List verification process. They are not passed through the filter.

  14. Learning Phase: To distinguish the spoofed packets, the firewall needs to keep a record of the genuine markings. During normal time that no attacks are happening, the firewall can learn about the correct markings for packets sent from specific IP addresses. The (IP-address, Marking) pairs are stored in a Filter Table, which are later used to verify each incoming packet and filter-out the spoofed ones. The learning phase continues for a sufficient time to allow most of the filter table to be filled up. Normal Filtering Procedure: After the learning phase, the firewall begins to perform its normal filtering operations. To the packet from an IP address recorded in the Filter Table, it is accepted if it has a consistent marking; otherwise, it is dropped . For the packet from a new IP address, we accept it with probability p and put the (IP-address, Marking) pair to a Check List, so that the marking can be verified. The value of p is set to high (close to 1) initially. When an attack is detected, the value of p is decreased according to the packet arrival rate and the victim’s capability for handling the incoming traffic.

  15. Marking Verification: To verify the markings in the Check-List, a random echo message is sent periodically to the source address for each (IP-address, Marking) pair in the Check-List, and a counter is used to record the number of echo messages have been sent for it. To avoid the reply being imitated by the attacker, the content of the echo message is recorded in the Check-List and compared with the content of reply received. On receiving an echo reply from the source, the marking can be verified and the (IP-address, Marking) pair is moved to the Filter Table; otherwise, it indicates the previously received packet was spoofed, then this pair is deleted from the Check List. If the counter in the CheckList shows that more than d(= 10) echo messages have been sent to an IP address x, then the entry for this IPaddress is removed from the Check List and the pair (x,ø) is added to the filter table, where ø is a special symbol denoting that all packets having source IP address x should be discarded. Since in this situation, this source IP must be either non-existent or inactive, so that the packets received with this source address are coming from the attacker and need to be rejected. Attack Detection: To detect the start of a DoS attack, we use a counter called Total-Mismatches-Counter (TMC), which counts the number of packets whose marking cannot be matched at the firewall. This includes both packets with incorrect markings as well as packets from unknown source addresses that are not recorded in the Filter Table. When the TMC value becomes greater than a threshold , it is considered as a signal of DoS attack. The value of TMC is reset to zero after fixed intervals to ensure that the cumulative results over a long duration is not considered as the indication of attack by mistake.

  16. Software and Hardware Requirements: Windows XP JSE 6 Pentium 4 NIC(Network Interface Card) Ms - Access

More Related